China: Draft Incident Reporting Regulation

1. Incident classification: Operators should classify the incident based on Annex 1 Cybersecurity Incident Classification Guide of the Measures, which categorises cybersecurity incidents into four levels from highest to lowest severity: extremely significant, significant, relatively significant, and general.
   
   
2. Initial report: Operators should implement appropriate security Measures and initiate reporting based on the classified level of the cybersecurity incident. The information should be included in the report and enterprises could rely on the Annex 2 Cybersecurity Incident Information Report Form of the Measures to the conduct report.
   
   
3. Supplementary report: If the cause, impact, or tendency of the incident cannot be determined during the initial report, or if new developments arise or significant progress is made in the investigation, Operators should submit a supplementary report.
   
   
4. Summary report: Once the incident has been resolved, Operators need to summarise and analyse, including the cause of the incident, contingency response Measures, harm, allocation of responsibilities, rectification status, lessons learned, etc.

Timeframe

The Measures specify different timeframes for three categories of reports.

1. Initial report: When relatively significant or extremely significant cybersecurity incidents occur, Operators shall report to the authorities within one hour. Considering the complexity of the reporting content, the 1-hour timeframe is extremely stringent for enterprises. Therefore, enterprises are recommended to formulate and implement contingency response plans, and ensure rapid identification of the facility, system, or platform where the security incident occurred.
   
   
2. Supplementary report: If applicable, Operators are required to submit a supplementary report within 24 hours.
   
   
3. Summary report: Operators need to summarise and analyse the incident within five working days and report to the authorities.

Next Steps, Impacts and Our Suggestions

The Measures has now completed its call for public comment, and the CAC will make further revisions based on the public comments. Although the exact timing of the release of the final version is uncertain, the issuance of the Measures indicates that enforcement activities related to cybersecurity incidents might become more frequent and stringent in the future.

We advise enterprises to continuously monitor further legislative developments and establish a comprehensive incident contingency response and reporting mechanism. It is recommended that enterprises conduct a prior mapping and prepare templates with basic information on each network and system in advance so that they can respond to incidents quickly and fulfil reporting obligations promptly. At the same time, enterprises should pay attention to the following aspects:

• Establishing data security management policy, especially emergency plans related to cybersecurity incidents.
• Conducting regular drills for cybersecurity incidents.
• Strengthening employees’ awareness of cybersecurity and data security through regular training and other means.
• Enhancing security risk detection during significant events, such as product launches, to prevent incidents like zero-day attacks.

For more information, please contact James Gong and Harry Qu.

SIGN UP TO OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM